add a force re-registration option to the scan script (#504) #73
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sign PowerShell Scripts | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| skip-publish: | |
| description: 'Skip publishing' | |
| required: false | |
| default: false | |
| type: boolean | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '**.ps1' | |
| - '**.psm1' | |
| - '**.psd1' | |
| jobs: | |
| sign_scripts: | |
| name: Sign PowerShell scripts | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Install jSign (Windows Signing Tool) -- Required for public runners | |
| run: | | |
| curl --retry 10 --retry-delay 60 -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb | |
| sudo dpkg -i ./jsign_5.0_all.deb | |
| - name: Configure DigiCert Signing Variables | |
| shell: bash | |
| run: | | |
| # CertLocker Authentication Certifiate | |
| CERT_PATH="$(mktemp -t cert.XXX)" | |
| echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH} | |
| echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV" | |
| echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
| # CertLocker API Key & Host | |
| echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
| echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
| # DigiCert CertLocker Code Signing Certificate | |
| echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" | |
| echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV" | |
| - name: Sign powershell script | |
| run: | | |
| jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" install.ps1 | |
| jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" download.ps1 | |
| jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" powershell/Mondoo.Installer/Mondoo.Installer.psm1 | |
| jsign --storetype DIGICERTONE --alias "${SM_CERT_ALIAS}" --storepass "${SM_API_KEY}|${SM_CLIENT_CERT_FILE}|${SM_CLIENT_CERT_PASSWORD}" --tsaurl "http://timestamp.digicert.com" powershell/Mondoo.Installer/Mondoo.Installer.psd1 | |
| - name: Commit changes | |
| if: ${{ github.event.inputs.skip-publish != true }} | |
| run: | | |
| # ensure windows line-feed | |
| git config --global core.autocrlf true | |
| # commit changes | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "Mondoo Tools" | |
| git add install.ps1 | |
| git add download.ps1 | |
| git add powershell/Mondoo.Installer/Mondoo.Installer.psm1 | |
| git add powershell/Mondoo.Installer/Mondoo.Installer.psd1 | |
| git commit -m "Sign powershell scripts" | |
| git push | |
| - name: Cleanup | |
| run: | |
| rm -f ${CERT_PATH} |